Vulnerability in System.Private.Uri as result of dependency on System.Collections.Concurrent/4.3.0

Question

Vulnerability in System.Private.Uri as result of dependency on System.Collections.Concurrent/4.3.0

AnyFlippingUsernameWillDo opened this issue 10 months ago · 0 comments

AnyFlippingUsernameWillDo commented 10 months ago

Hi,

We're running a sysdig security scan which is reporting two vulnerabilities in system.private.uri/4.3.0 - GHSA-xhfc-gr8f-ffwc and GHSA-5f2m-466j-3848

I believe I've tracked it down to the dependency that sqlkata/querybuilder has on System.Collections.Concurrent/4.3.0

System.Collections.Concurrent 4.3.0 (here)
depends on System.Runtime 4.3.0,
which in turn depends on runtime.any.System.Runtime 4.3.0 (if you specify a RuntimeIdentifier like linux-x64),
which in turn depends on a vulnerable package System.Private.Uri 4.3.0.

Please also see similar issues dotnet/runtime#86671 and AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#2086 for System.Text.Encoding.

I'm not certain under what circumstances System.Collections.Concurrent/4.3.0 is needed as of .net6+ but I'd be grateful if someone could have a look to see whether it is still necessary. If it is it would be nice to know of the best way to fix the vulnerability.

Thanks